I would also consider this for physical network isolation.
Put your eth0 and eth1 on separate switches and subnets, then work on
the firewall tuning between the NICs in the box from there.
I think do that may follow a stronger firewall physical paradigm where
you can disconnect networks to help contain situations until resolved
rather than throwing rules at your iptables while under stress.
The extra costs of a couple of switches and wiring could get easily
offset by your labor time over a few months.
Tait Clarridge wrote:
> On Fri, 2009-11-27 at 14:02 +1300, Steven Ellis wrote:
>> Running Centos 5.4 with KVM on a Dell R610 server and I'd like to
>> control which of the four ethernet interfaces are used for specific
>> tasks
>>>> My ideal configuration would be
>>>> eth0 - Host traffic only, no virtual guests. Used for guest mirroring
>> and management.
>> eth1 - NAT guest traffic only, no address for local machine and in
>> some environments in the same zone as eth0
>> eth2/3 - Allocated to two different bridge devices which might be in
>> separate network zones.
>>>> The configuration of eth2/3 is fairly simple, my issue is restricting
>> any NAT traffic to a specific ethernet devices, and ideally one with
>> no local IP.
>>>> Any ideas?
>>>> Steve
>>>> So if I have this right, at the basic level you wish to have:
>> - One interface for Host machine
> - Multiple interfaces for guest traffic
>> If your environment supports VLANs (802.1Q), might I suggest a trunk
> port on eth1 split up into different bridges to have the KVM guests go
> through to get on different VLANs/address spaces.
>> This is what I currently do for Xen and it works great. What kind of
> network setup to you have?
>>> ------------------------------------------------------------------------
>> _______________________________________________
> CentOS-virt mailing list
>CentOS-virt at centos.org>http://lists.centos.org/mailman/listinfo/centos-virt